NCSC MSP Due Diligence Checklist: A Plain-English Guide for UK SMEs | Assurix

The NCSC's MSP due diligence checklist helps UK SMEs evaluate managed service providers. This guide breaks down each checkpoint in plain English.

What is the NCSC MSP due diligence checklist?

The National Cyber Security Centre (NCSC) published a due diligence checklist specifically for businesses that use or are considering hiring a Managed Service Provider. It covers the key areas a business should evaluate before trusting an MSP with their systems.

The eight areas the NCSC checklist covers

• Access and authentication - How the MSP controls who can access your systems
• Privileged access management - How admin-level access is controlled and monitored
• Backup and recovery - Whether backups are tested, encrypted, and offsite
• Incident response - Whether the MSP has a tested plan for security incidents
• Service delivery - SLA performance, escalation, and regular reporting
• Change management - How changes to your systems are approved and tracked
• Governance - Named accountability for security at the MSP
• Supply chain - How the MSP manages its own third-party suppliers

What good answers look like

A trustworthy MSP should be able to produce evidence for each area within hours, not days. Live reports, configuration exports, and signed policies are strong indicators. Vague reassurances or reluctance to share evidence are red flags.

How Assurix helps

Assurix independently verifies MSPs against all eight areas of the NCSC checklist, continuously. MSPs with an Assurix trustmark can demonstrate compliance at any time, to any client or insurer.

Visit https://assurix.com/blog/ncsc-msp-due-diligence-checklist-sme-guide to view the full interactive page.